We used to call SecurityOrigin::grantUniversalAccess() for inspector front-end page. This does not seem to be necessary anymore, so I suggest to remove it for slightly tighter security control.
Created attachment 62286 [details] patch
Comment on attachment 62286 [details] patch WebKit/chromium/src/WebDevToolsFrontendImpl.cpp: + SecurityOrigin* origin = m_webViewImpl->page()->mainFrame()->domWindow()->securityOrigin(); IIRC we needed this to be able to set iframe content. It shouldn't be necessary with new SourceFrame implementation.
Comment on attachment 62286 [details] patch Clearing flags on attachment: 62286 Committed r63896: <http://trac.webkit.org/changeset/63896>
All reviewed patches have been landed. Closing bug.